aws re:invent 2016: security automation: spend less time securing your applications (sac316)

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

December 1, 2016

SAC316

Security Automation Using AWS WAF:Spend Less Time Securing Your Applications

What to expect from this session

Introduction to

AWS WAF

AWS WAF 101


Introduction to

AWS WAF

AWS WAF security

automation strategies

AWS WAF 101


Introduction to

AWS WAF

AWS WAF security


AWS WAF 101

5 automation strategies

1. Provisioning WAF

2. Deploying WAF

3. Importing rules

4. Automated incident response

5. Learning-based protections


AWS WAF security


AWS WAF 101

Demo and getting

started

Introduction to

AWS WAF

What is AWS WAF

AWS WAF 101

What is AWS WAF

Why AWS WAF?

Application vulnerabilities

Good users

Bad guys

Web serverDatabase

Exploit

codeAWS

WAF

Why AWS WAF?

Content abuse: Bots and scrapers

Good users

Bad guys

Web serverDatabase

AWS

WAF

Why AWS WAF?

Application DDOS

Good users

Bad guys

Web serverDatabase

AWS

WAF

AWS WAF: Rules in action

Monitor security events

AWS WAF: Integrated with AWS

Amazon CloudFrontGlobal content delivery network to accelerate

websites, API, video content, and other web assets

AWS WAF: Integrated with AWS

Amazon CloudFront Application Load BalancerLoad balancer with advanced request routing, and support

for microservices and container-based applications

Global content delivery network to accelerate

websites, API, video content, and other web assets

Announcing today..

Why is ALB integration important?


Applications not using Amazon CloudFront

Good users

Bad guys AWS WAF

region

Amazon CloudFront

Amazon S3


Block traffic that bypass any proxy, like CDN

Good users

Bad guys

AWS WAF region

Amazon

CloudFront

AWS WAF


Protect internal load balancer

Good users

Bad guys AWS WAFregion

Application

server

NGINX TLS

termination

TCP/SSL

ELB

How to enable WAF on ALB

Demo


Introduction to

AWS WAF

AWS WAF security


AWS WAF 101

Demo and getting

started

Why security automation

Spend less time securing your applications

Instead, focus on building applications

We built a WAF that has…

Customizable and

flexible rules

APIs: Integration

with DevOps

…allowing several WAF automation strategies

Quick rule update

AWS WAF security automation strategies..

Provisioning WAF Configuring rules Importing rules Automated incident

responseLearning-based

protections

… to spend less time securing applications

AWS WAF security automation strategies


response

Learning-based

protections

Provisioning AWS WAF

Step 1 –

Create

web ACL


Rule 1: Whitelist [ALLOW]

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection [BLOCK]

Step 1 –

Create

web ACL

Step 2 – Add rule


IP whitelist

SQL injection

URL match


IP blacklistRule 2: Blacklist [BLOCK]


Step 1 –

Create

web ACL

Step 2 – Add rule Step 3: Add condition


IP Whitelist

SQL injection

URL match


IP BlacklistRule 2: Blacklist [BLOCK]


Step 1 –

Create

web ACL

Step 2 – Add rule Step 3: Add conditionStep 4:

Associate

CloudFront

ALB

Provisioning AWS WAF: Reuse

Spend less time by reusing WAF rules


IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad


Rule 3: Common protection #1 [BLOCK]

Web ACL #1

ALB 1

(dev env)

Rule 4: Common protection #2 [BLOCK]XSS match

Web ACL #2ALB 2

(prod env)



IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)


ALB 3

(new app)


Quickly fix vulnerabilities

Example: {CVE-2016-538}

• Server-side web applications that utilize the HTTP_Proxy header as an environment

variable

• Attacker could intercept connections between a client and server.

Quick solution:

Use AWS WAF to configure a rule to detect and block web requests that contain a proxy

header.


IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)


ALB 3

(new app)


IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)


ALB 3

(new app)

Rule 5: CVE-2016-538 [BLOCK] Header match

Negative

Typical of prod deployment

ALLOW by default

BLOCK known bad

Provisioning AWS WAF: Rule strategy

Positive

Typical of restricted site

BLOCK by default

ALLOW known good

Examples:

• BLOCK MalwareIncIPRange

• BLOCK “{;}”

Examples:

• ALLOW SeattleOfficeIPRange

• ALLOW referrer header “example.com”


Demo

Show how to get started

Reusing rules



response

Learning-based

protections

Configuring AWS WAF rules

IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)

ALB 3

(new app)Rule 5: CVE-2016-538 [BLOCK] Header match


How to quickly get started with

common protections?


Preconfigured AWS CloudFormation templates for common protection

CloudFormation template

AWS WAF Configuration

Configuring AWS WAF: Common protection

Enable common protections

SQL injection

Cross-site scripting

Attack from known bad IP addresses

Preconfigured protections: Customer example

Need quick setup and common

protections like SQLi, XSS

“Overall, the entire stack so far has been extremely helpful. I truly would say that this stack should almost be a standard built-in for anyone looking to use WAF as I

cannot begin to tell you how useful and truly effective it is.”

Describe eVitamins

Create a rule to block SQLi

/login?x=test%20Id=10

/login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test’ UNION ALL select NULL --

Transform: URL decode

True

Match: SQL injection

False

Configuring AWS WAF: Common protection

Demo



response

Learning-based

protections


IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)

ALB 3



IP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)

ALB 3


Can we improve the common protections?


It is possible for almost any email server to block over 90% just based on IP reputation

- http://www.spamrats.com/ip_reputation_spam_stats.pdf

IP reputation lists can identify roughly 90% of all spam

- http://www.acm.org/

- (http://dl.acm.org/citation.cfm?id=1831448)

http://www.spamrats.com/ip_reputation_spam_stats.pdf

http://www.acm.org/

Importing AWS WAF rules

Import open source IP reputation lists


Open source IP reputation lists

Configuring AWS WAF RulesIP whitelist

internal IP

SQL injection

URL match


IP blacklist

known bad



Web ACL #1

ALB 1

(dev env)


Web ACL #2ALB 2

(prod env)

ALB 3


Rule 6: IP reputation [BLOCK]IP blacklist

known bad


So far,

Whitelist known good

Blacklist known bad IP

Common protections like SQLi and XSS

Import IP reputation list


So far,

Whitelist known good

Blacklist known bad IP

Common protections like SQLi and XSS

Import IP reputation list

How can you customize rules for your application?


Provisioning WAF Configuring rules Importing rules Automated

incident response

Learning-based

protections


• Set-and-forget rules are very effective

• But are not customized for your applications

• Malicious actors are adaptive and persistent

• Incident response for threat mitigation


Traditional incident response

Good users

Bad guys

Server

AWS

WAF

Logs Threat

analysis

Notification

Security engineer


We need..

• Sophisticated out of band analysis

• Integrate application-specific data sources

• Automated incident response


Automated incident response

Good users

Bad guys

Server

AWS

WAF

Logs Threat

analysis

Rule updater

Notification

Security engineer

AWS WAF for automated incident response

Automatically respond to incidents based on real-time analysis

APIs for automation ~1 min rule updateReal-time processing

Security automation: Use cases

HTTP floods Scans and probes Bots and scrapers

Attackers

Use cases that static rules cannot protect effectively

WAF example: A technical implementation

Blocking bad bots dynamically with AWS WAF web ACLs

WAF example: Blocking bad bots

What we need…

• IPSet: Contains our list of blocked IP addresses

• Rule: Blocks requests if requests match IP in our IPSet

• Web ACL: Allow requests by default; contains our Rule

and…

• Mechanism to detect bad bots

• Mechanism to add bad bot IP address to IPSet

WAF example: Detecting bad bots

• Use robots.txt to specify

which areas of your site or web

app should not be scraped

• Place file in your web root

• Ensure there are links pointing

to nonscrapable content

• Hide a trigger script that

normal users don’t see and

good bots ignore

$ cat webroot/robots.txt

User-agent: *

Disallow: /honeypot/

<a href="/honeypot/" class="hidden" aria-hidden="true">click me</a>

WAF example: Blacklist bad bots

• Bad bots (ignoring your robots.txt)

will request the hidden link

• Trigger script will detect the

source IP of the request

• Trigger script requests change

token

• Trigger script adds source IP to

IPSet blacklist

• Web ACL will block subsequent

request from that source

$ aws --endpoint-url https://carrot.amazon.com/ carrot get-change-token

{

"ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”

}

$ aws --endpoint-url https://carrot.amazon.com/ carrot update-ip-set --cli-input-json '{ "IPSetId": ”<<IP SET ID>>", "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f", "Updates": [ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": ”<<SOURCE IP>>/32" } } ] }’

{

"ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”

}

Automated incident response using AWS WAF

Automated incident response is effective

Customized for your application

Automated incident response: Customer example

MapBox uses WAF to protect from bots

Good users

Bad guys

Serve

r

AWS

WAF

Logs

Threat

analysis

Rule updater

Automated incident response using AWS WAF

• But attackers are persistent

• Adapt to firewall rules

Can we adapt our firewall rules?

Build continuously learning automated security


Provisioning WAF Configuring rules Importing rules Security Automation Learning-based

protections

What is machine learning

Machine learning is the technology that automatically finds

patterns in your data and uses them to make predictions

for new data points as they become available

Your data + machine learning = smart applications

Amazon Machine Learning

Easy-to-use, managed machine learning service built for developers

Robust, powerful machine learning technology based on Amazon’s internal systems

Create models using your data already stored in the AWS Cloud

Deploy models to production in seconds

AWS WAF with Amazon Machine Learning

Amazon Machine Learning

Go

od

HT

TP

re

qu

ests

Ba

d H

TT

P r

eq

uests

2. Train model1. Build model 3. Evaluate model4. Retrieve

prediction

AL

L r

eal H

TT

P r

eq

uests

Up

da

te A

WS

WA

F

AWS WAF


A PoC on learning-based WAF


The problem:

Detect requests from domain generation algorithms

Solution:

Use referrer header to detect bad domains visiting my website based

on machine learning


1. Data preparation – Feature engineering

2. Train model based on known good and

bad domains

3. Evaluate using real data


1. Data preparation – Feature engineering


2. Train model based on known good and bad domains

Good domains: Alexa 10,000

Bad domains: Known phishing domains


3. Evaluate using real data

Use raw logs from CloudFront logs

#Version: 1.0

#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-

edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-

type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200

www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit

MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit

HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304

www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit

xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1


Demo


Category Result

Accuracy 98%

Recall true positive rate 78%

False positive rate 1%

True negative rate 99%

How good is our machine learning model

Summary



1. Provisioning WAF – Reuse rules

2. Configuring WAF – Get started in minutes using CloudFormation template

3. Importing rules –

4. Automated incident response – DevOps WAF

5. Learning-based WAF –

Summary



Provisioning WAF

Reuse rules

Configuring rules

Configure common

protections in minutes

using CloudFormation

templates

Importing rules

Automated reputation

list from external

sources

Automated incident

response

Advanced

application-specific

firewall rules

Learning-based

protections

Smart adaptive

protections using

Amazon ML

Remember to complete

your evaluations!

Thank you!

Get started with AWS WAF:

https://console.aws.amazon.com/waf

https://console.amazonaws.com/waf

aws re:invent 2016: security automation: spend less time securing your applications (sac316)

Technology